Gallery

Mac hacks, BBC attacks and backing hackers

Posted on 18 Jun 2009 at 11:20

Davey Winder exposes the 100% secure mac myth, questions the BBC's botnet morality, and considers hiring hackers.

Firefox was brought crashing to the ground by the same predictable means as the others, leaving only Google's Chrome standing unhacked by the end of the day - which doesn't mean that Chrome is 100% secure either, merely that its sandbox and other security features stopped these particular hackers from executing these particular remote code exploits on this particular day. For the record, I should point out that the sponsor of PWN2OWN is TippingPoint, a company that provides the prize money in return for ownership of all details of the vulnerabilities and the exploit code, both of which are immediately handed over to Apple, Microsoft and Mozilla so they can work on fixes for them.

Botnets be damned!

Regular readers will be aware that I have a morbid fascination with botnets and the people who create, operate and profit from them. There can be absolutely no doubt that botnets have become Public Enemy Number One for our online security. Whoa, some of you may be thinking - what about spam, what about trojans, what about spyware? - to which I humbly reply: well, what about them? All of those problems are carried or facilitated by botnets. Botnets distribute spam, trojans and other malware, and they've even been used to perpetrate click fraud crimes, whereby pay-per-click adverts are fitted out with automated clickthrough to boost revenues. One report that crossed my desk last year suggests that botnets are involved in as much as 25% of all click fraud traffic, with ever more sophisticated methods being employed to disguise the true nature of the activity. And at one point last year - before the McColo takedown, which temporarily threw a spanner into the spamming works - just six botnets were thought to be distributing a staggering 85% of all global spam. The McColo shot proved to be nothing more than a flesh wound, despite early reports suggesting that spam had dropped in volume by as much as 70%, and the numbers have already risen to pre-takedown levels. Within weeks one botnet, Mega-D, was back in action and responsible for around half of the spam by volume. Mega-D can handle 26 million emails per minute, or more than half a million emails per infected PC per day.

With this kind of volume it's no wonder the botnet business has become such a money earner, and not just in the obvious ways: it earns for both botnet landlords and their spammer tenants (spamming time is rented by the hour, so the bigger the net the more the money), but also for the programmers who devote their considerable skills to advancing the malicious technology. I've watched as the trojans that harvest the zombie PCs for botnet grow ever more complex, ever more cleverly disguised to avoid detection, and ever more expensive to purchase. For example, one such trojan, which came with a guarantee of invisibility, was selling for not far short of £1,000 per end-user licence toward the end of last year - with grim irony these bad guys employ straightforward commercial software licensing to protect their intellectual property, rather than open source. This trojan promised to go undetected by the top ten antivirus applications, courtesy of its ongoing morphing capability that provides an ever-changing shell as a cloaking device. I asked a couple of white-coated security lab techies about the claims for this beast, and was told that their code analysis confirmed its ability to generate pretty well infinite variants that would certainly foil any signature-based AV solution. It did, however, remain detectable by heuristic or other kinds of behavioural-based technology, for the time being at least.

Download a year of Davey Winder's Online Security columns by heading to our Free Downloads site